OFBiz › OFBiz - Notifications

[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF

[ https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607972#comment-16607972 ]

Girish Vasmatkar commented on OFBIZ-10427:
------------------------------------------

Hi Jacques

I am attaching a patch for web.xml changes. Alas, this filter does not support wildcards yet, so lots of URLs in the entryPoints param. Not an ideal way to go about it, unless we write our own implementation probably by subclassing this filter and providing wildcard. For now, I have provided patch for webtools web.xml. Similar entry points will have to be determined and applied for each web-app.

Please review and let me know of any issue or concern you may have. [https://localhost:8443/webtools/] should not produce forbidden response now and also you should see the nonce added to each request.

> Add a mean to handle CSRF
> -------------------------
>
> Key: OFBIZ-10427
> URL: https://issues.apache.org/jira/browse/OFBIZ-10427
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
>
> I already worked on that in OFBiz but without success so far: https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really not simple in OFBiz)
> * https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction (I think preferred)

--
This message was sent by Atlassian JIRA
(v7.6.3#76005)